The Tor Browser / file revision

content/base/test/csp/test_CSP_bug910139.html@b8a032363ba2

content/base/test/csp/test_CSP_bug910139.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>CSP should block XSLT as script, not as style</title>

     5   <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->

     6   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

     7   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

     8 </head>

     9 <body>

    10   <p id="display"></p>

    11   <div id="content" style="display: none"></div>

    12   <iframe style="width:100%;" id='xsltframe'></iframe>

    13   <iframe style="width:100%;" id='xsltframe2'></iframe>

    14 

    15 <script class="testbody" type="text/javascript">

    16 

    17 SimpleTest.waitForExplicitFinish();

    18 

    19 // define the expected output of this test

    20 var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";

    21 

    22 function checkAllowed () {

    23   /*   The policy for this test is:

    24    *   Content-Security-Policy: default-src 'self'; script-src 'self'

    25    *

    26    *   we load the xsl file using:

    27    *   <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>

    28    */

    29   try {

    30     var cspframe = document.getElementById('xsltframe');

    31     var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;

    32     is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");

    33   }

    34   catch (e) {

    35     ok(false, "Error: could not access content in xsltframe!")

    36   }

    37 

    38   // continue with the next test

    39   document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);

    40   document.getElementById('xsltframe2').src = 'file_CSP_bug910139.sjs';

    41 }

    42 

    43 function checkBlocked () {

    44   /*   The policy for this test is:

    45    *   Content-Security-Policy: default-src 'self'; script-src *.example.com

    46    *

    47    *   we load the xsl file using:

    48    *   <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>

    49    */

    50   try {

    51     var cspframe = document.getElementById('xsltframe2');

    52     var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');

    53     is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");

    54   }

    55   catch (e) {

    56     ok(false, "Error: could not access content in xsltframe2!")

    57   }

    58   SimpleTest.finish();

    59 }

    60 

    61 SpecialPowers.pushPrefEnv(

    62   {'set':[["security.csp.speccompliant", true]]},

    63   function () {

    64     document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);

    65     document.getElementById('xsltframe').src = 'file_CSP_bug910139.sjs';

    66   }

    67 );

    68 

    69 </script>

    70 </body>

    71 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial